After installed, ufw is not yet enable. This is a good thing because it is better to add you IP on the white liste first, otherwise you could be locked outside your remote server. You also have to allow SSH port to access the server remotely.

In fact, it is better to add rules at the beginning of the list, because for iptables and ufw, the first rule matching an IP is applied, and other are ignored. It means that if your deny rule is after a rule allowing a port for all IP, it will be ignored. To do that:

sudo ufw insert 1 deny from yyy.yyy.yyy.yyy

fail2ban and UFW

fail2ban is a server deamon that automatically ban attackers ip. To do that, fail2ban reads system logs (especially /var/log/auth.log and add a rule to block IP adress that try to access illegaly your server. It is usefull to block unwanted ssh access.

It is necessary, when installed with ufw, to configure fail2ban to work with ufw. Otherwise, there will be a conflict in iptables rules.

Ban a IP adress using IPTables

Be sure your newly added rule is before ACCEPT all rules, otherwise it won't work. You can specify where to insert the new rule if necessary using the rule number:

iptables -A INPUT 3 -s XXX.XXX.XXX.XXX -j DROP

Save IPTable rules automatically and permantely

Use iptables-persistent package under ubuntu.

sudo apt-get install iptables-persistent

If you want to manually save rules:

sudo service iptables-persistent save

SSH

If your server has a SSH server running, it is obvious that people will try to ssh login with brute-force attacks. You can use sshguard to prevent this kind of attacks. sshguard will add new IPTables rules to ban IP address doing attacks. To install it, just:

sudo apt-get install sshguard

Note: ssh protection is also done by fail2ban. I don't know which is the best one, but it is probably not necessary to have both together.

Login with certificate

First generate a pair of keys on the client:

ssh-keygen

Then copy the public key on the server. The command ssh-copy-id does all the job for you:

ssh-copy-id user@server

After that, you should be able to login via ssh without the need of the password.

logwatch

Logwatch can send you a formatted view of system logs every morning by email. It is usefull to check everyday the health of your server.